“Is Apple getting sloppy?”
That was the headline of a BBC article published on Wednesday, November 29th, 2017, reporting the discovery of a major security issue in Apple’s MacOS High Sierra operating system. It seems that a bug within the OS made it possible for anyone to access a High Sierra computer by exploiting a simple login loophole.
Usually, when you login as a user on a Mac, you must enter your username and password. On machines running High Sierra, though, it was possible to enter “root” as the username, leave the password field blank, and then click the login button several times in succession. This process allowed someone to access a Mac computer running High Sierra—even if they didn’t have an actual username or password – and worse yet, as root!
The vulnerability garnered global attention on Tuesday, November 28th, when software developer Lemi Orhan Ergin tweeted a message to Apple Support to report the problem. Apple quickly responded to Ergin’s tweet and set to work developing a patch to fix the issue.

The security fix was rolled back when users updated to macOS 10.13.1.
The serious and surprising root security bug in macOS High Sierra is back for some users, shortly after Apple declared it fixed. Users who had not installed macOS 10.13.1 (and thus were running a prior version of the OS when they received the security update) found that installing 10.13.1 resurfaced the bug, according to a report from Wired.
For these users, the security update can be installed again (in fact, it would be automatically installed at some point) after updating to the new version of the operating system. However, the bug is not fixed in that case until the user reboots the computer. Many users do not reboot their computers for days or even weeks at a time, and Apple's support documentation did not, at first, inform users that they needed to reboot. So some people may have been left vulnerable without realizing it. The documentation has been updated with the reboot step now.